Security spending continues to run a step behind the threats

George V. Hulme |
Oct. 17, 2013

Survey finds breaches and associated costs continue to rise.

Many respondents still can't adequately identify or respond to breaches. In fact, only 61 percent inspect their inbound and outbound network traffic, and less than that had used malware analytics to fight advanced threats, or used security event and information management systems to detect potential incidents.

"We are all taught in security 101 to put the basic defensive controls in place first. Most don't get to that point, let alone beyond it. However, there are companies out there, more mature companies, that have built in the ability to respond," says Rothman. "The problem is that they are not the general population. Typically, if they see a breach—if they even see it in the first place—most will call their service provider," he says. And even among companies that do invest in the technology needed to detect and respond to attacks, many don't have the expertise on-staff to take full advantage of the tools' capabilities.

If you can't see the threats, it's almost impossible to respond to them intelligently, and this reality is reflected in the survey results. Only 18 percent of organizations reported being extremely effective at reporting, managing and intercepting cyberthreats. The majority reported that they were minimally effective or did not know how effective they were.

The industry is "too heavy-handed when it comes to investing in preventative controls," says Jay Leek, CISO at private equity firm The Blackstone Group. "We have not invested enough in detective and reactive—what I call 'response'—controls. I believe that we need to focus more on how well we can identify and respond to attacks," he says.

"If you look at security programs in large organizations, they probably spend 70 to 80 percent of their budget on preventative measures. These budgets, I found, also largely correlate to where resources are typically focused, leaving only 20 to 30 percent focused on detective and reactive controls," Leek says.

"It's clearly not working," he adds. "And I would think that incident response would be an ideal place to focus today because the nature of IT systems and their complexity means the chance of one experiencing a security breach has got to be high. You have to assume you would need the ability to respond one day."